Patches Don't Make a Security Blanket

August 06, 2001

By Alex Salkever The alarm bells are still sounding for Code Red. The worm software, which burrows into Web servers and replaces legitimate site content with the message "hacked by Chinese!!!", didn't match the fears of mass Internet destruction. No national crisis ensued. But the worm has infected hundreds of thousands of machines worldwide and will remain a threat for some time to come. Now there's talk of another Code Red virus ready to attack.

For the vast numbers of organizations running Microsoft's popular Internet Information Server (IIS) Web server, Code Red was a major headache. Systems administrators have been vexed: Yet another patch had to be devised in a seemingly endless stream of rescue efforts. Even Microsoft apparently had trouble battening down the hatches. According to reports posted on the popular technology Web site Slashdot.org, Code Red managed to compromise dozens of machines run by Redmond itself. Computer Economics, a tech research firm in Carlsbad, Calif., puts U.S. damage from the worm at $1.2 billion, including $450 million for lost productivity and $750 million for system maintenance and patching.

Worse, Code Red seems like just the latest flavor in a wave of viruses that hackers unleash for sport. "Every six to eight months there's a new crisis. Things are not going to get better," says Ron Hale, CTO of managed-hosting and security provider Telenisus. The rising tide of hazards should keep IT staffs more than busy for some time.

MUTATING ASSAULTS. That underscores a basic problem with the most common Internet security approach: Be alert for viruses and worms, apply patches -- and pray. Watching for hostile electronic invaders will always be an integral part of security. But the programs that do this, intrusion-detection systems (IDS) and antivirus software, function by looking for familiar attack signatures. But that's an inherently reactive approach and one that breaks down in the face of anything remotely new.

Attack signatures represent the specific bits of program code that each virus or worm carries, be it Code Red or the Love Bug. IDS and antivirus systems are getting better at making intelligent guesses as to what is a dangerous piece of incoming code. By definition, they are designed to check almost every piece of information -- impossible in today's world of meganetworks with data-transmission rates heading toward terabits per second.

Imagine a security guard standing on Fifth Avenue in Manhattan and charged with the Sisyphean task of checking every single person against a list of wanted criminals. But security becomes even harder if the guard ignores someone walking down the street with an assault rifle because that person has not yet made the Most Wanted. "By definition, these are new attacks, and the patterns are not yet in their databases," says Eric Ogren, marketing vice-president at security software company Okena.

The patching approach to heading off vulnerabilities is, likewise, fraught with problems. Microsoft has issued dozens of patches this year, making their application highly time-consuming. Add to that a steady flow of fixes for other pieces of software and the average systems administrator can't be blamed for falling a little behind. If you combine all of the above with tech cutbacks and understaffed IT departments, then that could mean a choice between taking care of core business functions and applying a patch. Automatic patch-application programs might help in the future, but they remain rare for now.

BEHAVIOR POLICE. A new and growing class of security products offers some hope. Rather than relying on identifying the signatures of specific viruses and worms or closing specific vulnerabilities in software applications with patches, these programs examine business processes and try to make intelligent decisions about what constitutes proper behavior on a network. In other words, rather than stop everyone walking down Fifth Avenue, these programs only look for the people who happen to be carrying exposed weapons -- or engaging in any behavior that looks abnormal and potentially dangerous.

How do they work? These programs watch a network from the inside and put software sentries at crucial points. Those software sentries talk to each other and compare behavior across the system against a set of centralized rules. Those rules, which can be customized, dictate what is proper behavior on that network.

Some of these products include AppShield from Sanctum, StormWatch from Okena, and Pitbull from Argus Systems. AppLock from WatchGuard is a product of this type targeted at small businesses. Microsoft has its own version of this in IISlock (although it has the general Windows failing of weak password protection).

For example, AppShield might question, in the case of Code Red, why a request disguised as a HTTP (HyperText Transfer Protocol), which looks like a command to direct a Web Server, is instead trying to write an executable file into the IIS server and alter server logs. Or, in the case of the buffer-overflow portion of the Code Red worm, AppShield would notice that the code was trying to flood a character field in IIS -- and take action to stop it. "Some of these out-of-the-box solutions are pretty good," says Eugene Schultz, a Microsoft researcher at Lawrence Livermore Berkeley Labs.

NO CURE. Adding these new types of applications-level security programs to your system is hardly a panacea. According to Schultz, most involve configuring firewalls so that they will never accept connections from unknown Web servers, restricting file sharing and dial-in access, and limiting superuser privileges at the Operating System level.

Hard-core security folks continue to pooh-pooh any type of application-locking software -- they prefer to do the grunt work on their boxes themselves. That said, in a security environment where time and money are increasingly short, out-of-the-box options may be the best way to stave off patch frenzy from Code Red and others. Salkever covers computer security issues twice a month in his Security Net column, only on BW Online